Strange rebooting issue (pe386 rootkit)

I have recently built a new computer and within the past couple of days I have been getting BSOD's and random reboots.

Here is my latest dump:

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini122906-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700
Debug session time: Fri Dec 29 04:24:15.640 2006 (GMT-5)
System Uptime: 0 days 13:58:46.335
Loading Kernel Symbols
..........................................................................................................................
Loading User Symbols
Loading unloaded module list
.............
Unable to load image system32:lzx32.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for lzx32.sys
*** ERROR: Module load completed but symbols could not be loaded for lzx32.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, b553e61d, b485ca28, 0}

Probably caused by : system32:lzx32.sys ( lzx32+261d )

Followup: MachineOwner
---------

1: kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: b553e61d, The address that the exception occurred at
Arg3: b485ca28, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

FAULTING_IP:
lzx32+261d
b553e61d 8a1401 mov dl,byte ptr [ecx+eax]

TRAP_FRAME: b485ca28 -- (.trap ffffffffb485ca28)
.trap ffffffffb485ca28
ErrCode = 00000000
eax=00000000 ebx=b5544549 ecx=0101d000 edx=804ffc2c esi=00001000 edi=0101c000
eip=b553e61d esp=b485ca9c ebp=b485caa8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
lzx32+0x261d:
b553e61d 8a1401 mov dl,byte ptr [ecx+eax] ds:0023:0101d000=??
.trap
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: mpas-d.exe

LAST_CONTROL_TRANSFER: from b5540479 to b553e61d

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
b485caa8 b5540479 0101c000 0000001e b5544549 lzx32+0x261d
b485cafc b5540589 886108e8 01000000 01000210 lzx32+0x4479
b485cb60 b5540682 886108e8 e16f4460 883aeda8 lzx32+0x4589
b485cb80 805ceca1 00000ff8 886108e8 00000001 lzx32+0x4682
b485ccc4 805cf900 00d2ecbc 001f03ff 00000000 nt!PspCreateThread+0x3a7
b485cd3c 8054060c 00d2ecbc 001f03ff 00000000 nt!NtCreateThread+0xfc
b485cd3c 7c90eb94 00d2ecbc 001f03ff 00000000 nt!KiFastCallEntry+0xfc
00d2f338 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: kb

FOLLOWUP_IP:
lzx32+261d
b553e61d 8a1401 mov dl,byte ptr [ecx+eax]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: lzx32

IMAGE_NAME: system32:lzx32.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 458c3258

SYMBOL_NAME: lzx32+261d

FAILURE_BUCKET_ID: 0x8E_lzx32+261d

BUCKET_ID: 0x8E_lzx32+261d

Followup: MachineOwner
---------

eax=00000000 ebx=b5544549 ecx=0101d000 edx=804ffc2c esi=00001000 edi=0101c000
eip=b553e61d esp=b485ca9c ebp=b485caa8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
lzx32+0x261d:
b553e61d 8a1401 mov dl,byte ptr [ecx+eax] ds:0023:0101d000=??
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
b485caa8 b5540479 0101c000 0000001e b5544549 lzx32+0x261d
b485cafc b5540589 886108e8 01000000 01000210 lzx32+0x4479
b485cb60 b5540682 886108e8 e16f4460 883aeda8 lzx32+0x4589
b485cb80 805ceca1 00000ff8 886108e8 00000001 lzx32+0x4682
b485ccc4 805cf900 00d2ecbc 001f03ff 00000000 nt!PspCreateThread+0x3a7 (FPO: [Non-Fpo])
b485cd3c 8054060c 00d2ecbc 001f03ff 00000000 nt!NtCreateThread+0xfc (FPO: [Non-Fpo])
b485cd3c 7c90eb94 00d2ecbc 001f03ff 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b485cd64)
00d2f338 00000000 00000000 00000000 00000000 0x7c90eb94
start end module name
804d7000 806e2000 nt ntkrpamp.exe Tue Mar 01 19:34:38 2005 (42250A1E)
806e2000 80702d00 hal halmacpi.dll Wed Aug 04 01:59:09 2004 (41107B2D)
b4572000 b45b2280 HTTP HTTP.sys Thu Mar 16 20:33:09 2006 (441A03C5)
b471b000 b476c480 srv srv.sys Mon Aug 14 06:34:39 2006 (44E051BF)
b4c45000 b4c59400 wdmaud wdmaud.sys Wed Jun 14 05:00:44 2006 (448FD03C)
b4d82000 b4d90d80 sysaudio sysaudio.sys Wed Aug 04 02:15:54 2004 (41107F1A)
b51db000 b51f3980 dump_nvata dump_nvata.sys Mon May 01 20:26:57 2006 (4456A751)
b521c000 b52e3620 avg7core avg7core.sys Mon Oct 23 14:52:56 2006 (453D0F88)
b52e4000 b5352a00 mrxsmb mrxsmb.sys Fri May 05 05:41:42 2006 (445B1DD6)
b5353000 b537da00 rdbss rdbss.sys Fri May 05 05:47:55 2006 (445B1F4B)
b5426000 b542ed80 HIDCLASS HIDCLASS.SYS Wed Aug 04 02:08:18 2004 (41107D52)
b5446000 b5467d00 afd afd.sys Wed Aug 04 02:14:13 2004 (41107EB5)
b5468000 b5488f00 ipnat ipnat.sys Wed Sep 29 18:28:36 2004 (415B3714)
b5489000 b54b0c00 netbt netbt.sys Wed Aug 04 02:14:36 2004 (41107ECC)
b54b1000 b5508d80 tcpip tcpip.sys Thu Apr 20 07:51:47 2006 (444775D3)
b5509000 b551b400 ipsec ipsec.sys Wed Aug 04 02:14:27 2004 (41107EC3)
b553c000 b554e000 lzx32 lzx32.sys Fri Dec 22 14:30:32 2006 (458C3258)
b764e000 b766f700 portcls portcls.sys Tue Mar 16 14:58:17 2004 (40574E49)
b7698000 b7ad4000 RtkHDAud RtkHDAud.sys Fri May 26 01:20:52 2006 (44769034)
b9bd4000 b9c07200 update update.sys Wed Aug 04 01:58:32 2004 (41107B08)
b9c10000 b9c13f60 HPZipr12 HPZipr12.sys Wed May 14 02:49:53 2003 (3EC1E711)
b9c14000 b9c17a00 kbdhid kbdhid.sys Wed Aug 04 01:58:33 2004 (41107B09)
b9c1c000 b9c1ef80 mouhid mouhid.sys Fri Aug 17 16:47:57 2001 (3B7D82FD)
b9c28000 b9c2a580 hidusb hidusb.sys Fri Aug 17 17:02:16 2001 (3B7D8658)
b9c30000 b9c40e00 psched psched.sys Wed Aug 04 02:04:16 2004 (41107C60)
b9c71000 b9c80900 Cdfs Cdfs.SYS Wed Aug 04 02:14:09 2004 (41107EB1)
b9c81000 b9c8d660 HPZid412 HPZid412.sys Wed May 14 02:49:50 2003 (3EC1E70E)
b9ce1000 b9cf7680 ndiswan ndiswan.sys Wed Aug 04 02:14:30 2004 (41107EC6)
b9cf8000 b9d0b900 parport parport.sys Wed Aug 04 01:59:04 2004 (41107B28)
b9d0c000 b9d56000 agntoad0 agntoad0.SYS Sat Nov 18 03:32:12 2006 (455EC50C)
b9d56000 b9da9000 NVSNPU NVSNPU.SYS Tue May 16 22:24:18 2006 (446A8952)
b9da9000 b9eaf880 NVNRM NVNRM.SYS Tue May 16 22:24:41 2006 (446A8969)
b9eb0000 b9ed5000 HDAudBus HDAudBus.sys Fri Jan 07 20:07:15 2005 (41DF3243)
b9ed5000 b9ef7680 ks ks.sys Wed Aug 04 02:15:20 2004 (41107EF8)
b9ef8000 b9f1ae80 USBPORT USBPORT.SYS Wed Aug 04 02:08:34 2004 (41107D62)
b9f1b000 b9f2e780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 02:07:04 2004 (41107D08)
b9f2f000 ba4ac800 nv4_mini nv4_mini.sys Fri Nov 17 03:17:02 2006 (455D6FFE)
ba4c9000 ba4cb580 ndistapi ndistapi.sys Fri Aug 17 16:55:29 2001 (3B7D84C1)
ba4e1000 ba4e3280 rasacd rasacd.sys Fri Aug 17 16:55:39 2001 (3B7D84CB)
ba4f5000 ba4f7900 Dxapi Dxapi.sys Fri Aug 17 16:53:19 2001 (3B7D843F)
ba51d000 ba537580 Mup Mup.sys Wed Aug 04 02:15:20 2004 (41107EF8)
ba538000 ba564a80 NDIS NDIS.sys Wed Aug 04 02:14:27 2004 (41107EC3)
ba565000 ba5f1480 Ntfs Ntfs.sys Wed Aug 04 02:15:06 2004 (41107EEA)
ba5f2000 ba608780 KSecDD KSecDD.sys Wed Aug 04 01:59:45 2004 (41107B51)
ba609000 ba628780 fltMgr fltMgr.sys Mon Aug 21 05:14:57 2006 (44E97991)
ba629000 ba641980 nvata nvata.sys Mon May 01 20:26:57 2006 (4456A751)
ba642000 ba659480 atapi atapi.sys Wed Aug 04 01:59:41 2004 (41107B4D)
ba65a000 ba678880 ftdisk ftdisk.sys Fri Aug 17 16:52:41 2001 (3B7D8419)
ba679000 ba689a80 pci pci.sys Wed Aug 04 02:07:45 2004 (41107D31)
ba68a000 ba6b7d80 ACPI ACPI.sys Wed Aug 04 02:07:35 2004 (41107D27)
ba6b8000 ba6cf800 SCSIPORT SCSIPORT.SYS Wed Aug 04 01:59:39 2004 (41107B4B)
ba6d0000 ba7a7000 sptd sptd.sys Sun Nov 19 11:53:27 2006 (45608C07)
ba8a8000 ba8b6e80 ohci1394 ohci1394.sys Wed Aug 04 02:10:05 2004 (41107DBD)
ba8b8000 ba8c5000 1394BUS 1394BUS.SYS Wed Aug 04 02:10:03 2004 (41107DBB)
ba8c8000 ba8d0c00 isapnp isapnp.sys Fri Aug 17 16:58:01 2001 (3B7D8559)
ba8d8000 ba8e2500 MountMgr MountMgr.sys Wed Aug 04 01:58:29 2004 (41107B05)
ba8e8000 ba8f4c80 VolSnap VolSnap.sys Wed Aug 04 02:00:14 2004 (41107B6E)
ba8f8000 ba900f80 ultra ultra.sys Fri Aug 17 16:52:19 2001 (3B7D8403)
ba908000 ba912900 jraid jraid.sys Fri Jun 02 07:49:57 2006 (448025E5)
ba918000 ba920e00 disk disk.sys Wed Aug 04 01:59:53 2004 (41107B59)
ba928000 ba934200 CLASSPNP CLASSPNP.SYS Wed Aug 04 02:14:26 2004 (41107EC2)
ba938000 ba942880 sbp2port sbp2port.sys Wed Aug 04 01:59:54 2004 (41107B5A)
ba968000 ba976000 AmdK8 AmdK8.sys Mon Mar 07 16:58:10 2005 (422CCE72)
ba988000 ba990700 wanarp wanarp.sys Wed Aug 04 02:04:57 2004 (41107C89)
ba998000 ba9a6d80 arp1394 arp1394.sys Wed Aug 04 01:58:28 2004 (41107B04)
ba9a8000 ba9b0700 netbios netbios.sys Wed Aug 04 02:03:19 2004 (41107C27)
ba9d8000 ba9e0880 Fips Fips.SYS Fri Aug 17 21:31:49 2001 (3B7DC585)
baa28000 baa32380 imapi imapi.sys Wed Aug 04 02:00:12 2004 (41107B6C)
baa38000 baa44180 cdrom cdrom.sys Wed Aug 04 01:59:52 2004 (41107B58)
baa48000 baa56080 redbook redbook.sys Wed Aug 04 01:59:34 2004 (41107B46)
baa58000 baa67180 nic1394 nic1394.sys Wed Aug 04 01:58:28 2004 (41107B04)
baa68000 baa71000 nvnetbus nvnetbus.sys Tue May 16 22:25:01 2006 (446A897D)
baa78000 baa84880 rasl2tp rasl2tp.sys Wed Aug 04 02:14:21 2004 (41107EBD)
baa88000 baa92200 raspppoe raspppoe.sys Wed Aug 04 02:05:06 2004 (41107C92)
baa98000 baaa3d00 raspptp raspptp.sys Wed Aug 04 02:14:26 2004 (41107EC2)
baaa8000 baab0900 msgpc msgpc.sys Wed Aug 04 02:04:11 2004 (41107C5B)
baab8000 baac3900 pcouffin pcouffin.sys Tue Dec 05 09:39:53 2006 (457584B9)
baac8000 baad1f00 termdd termdd.sys Wed Aug 04 01:58:52 2004 (41107B1C)
baad8000 baae1480 NDProxy NDProxy.SYS Fri Aug 17 16:55:30 2001 (3B7D84C2)
baae8000 baaf6100 usbhub usbhub.sys Wed Aug 04 02:08:40 2004 (41107D68)
baaf8000 bab06b80 drmk drmk.sys Wed Aug 04 02:07:54 2004 (41107D3A)
bab08000 bab14e00 NVENETFD NVENETFD.sys Tue May 16 22:24:58 2006 (446A897A)
bab28000 bab2e200 PCIIDEX PCIIDEX.SYS Wed Aug 04 01:59:40 2004 (41107B4C)
bab30000 bab34900 PartMgr PartMgr.sys Fri Aug 17 21:32:23 2001 (3B7DC5A7)
bab40000 bab46180 HIDPARSE HIDPARSE.SYS Wed Aug 04 02:08:15 2004 (41107D4F)
bab68000 bab6ef00 avg7rsxp avg7rsxp.sys Mon Jun 19 04:21:28 2006 (44965E88)
bab70000 bab75200 vga vga.sys Wed Aug 04 02:07:06 2004 (41107D0A)
bab80000 bab84a80 Msfs Msfs.SYS Wed Aug 04 02:00:37 2004 (41107B85)
bab88000 bab8e780 USBSTOR USBSTOR.SYS Wed Aug 04 02:08:44 2004 (41107D6C)
bab90000 bab97880 Npfs Npfs.SYS Wed Aug 04 02:00:38 2004 (41107B86)
bab98000 bab9c880 TDI TDI.SYS Wed Aug 04 02:07:47 2004 (41107D33)
baba8000 babae500 usbprint usbprint.sys Wed Aug 04 02:01:23 2004 (41107BB3)
babb8000 babbd440 HPZius12 HPZius12.sys Fri Oct 21 03:22:46 2005 (43589746)
babc0000 babc4580 ptilink ptilink.sys Fri Aug 17 16:49:53 2001 (3B7D8371)
babd0000 babd4080 raspti raspti.sys Fri Aug 17 16:55:32 2001 (3B7D84C4)
babf0000 babf6000 kbdclass kbdclass.sys Wed Aug 04 01:58:32 2004 (41107B08)
bac00000 bac05a00 mouclass mouclass.sys Wed Aug 04 01:58:32 2004 (41107B08)
bac60000 bac64280 usbohci usbohci.sys Wed Aug 04 02:08:34 2004 (41107D62)
bac78000 bac7c500 watchdog watchdog.sys Wed Aug 04 02:07:32 2004 (41107D24)
bac90000 bac96800 usbehci usbehci.sys Wed Aug 04 02:08:34 2004 (41107D62)
bac98000 bac9fb80 usbccgp usbccgp.sys Wed Aug 04 02:08:45 2004 (41107D6D)
bacb8000 bacbb000 BOOTVID BOOTVID.dll Fri Aug 17 16:49:09 2001 (3B7D8345)
bad74000 bad77c80 mssmbios mssmbios.sys Wed Aug 04 02:07:47 2004 (41107D33)
bada8000 bada9b80 kdcom kdcom.dll Fri Aug 17 16:49:10 2001 (3B7D8346)
badaa000 badab100 WMILIB WMILIB.SYS Fri Aug 17 17:07:23 2001 (3B7D878B)
badac000 badadb00 JGOGO JGOGO.sys Tue Feb 07 06:52:58 2006 (43E88A1A)
badd2000 badd3100 swenum swenum.sys Wed Aug 04 01:58:41 2004 (41107B11)
badda000 baddb280 USBD USBD.SYS Fri Aug 17 17:02:58 2001 (3B7D8682)
bade4000 bade5f00 Fs_Rec Fs_Rec.SYS Fri Aug 17 16:49:37 2001 (3B7D8361)
bade8000 bade9080 Beep Beep.SYS Fri Aug 17 16:47:33 2001 (3B7D82E5)
badee000 badef080 mnmdd mnmdd.SYS Fri Aug 17 16:57:28 2001 (3B7D8538)
badf2000 badf3080 RDPCDD RDPCDD.sys Fri Aug 17 16:46:56 2001 (3B7D82C0)
badfe000 badff080 avg7rsw avg7rsw.sys Tue Jul 26 08:10:51 2005 (42E6284B)
bae26000 bae27100 dump_WMILIB dump_WMILIB.SYS Fri Aug 17 17:07:23 2001 (3B7D878B)
bae60000 bae61a80 ParVdm ParVdm.SYS Fri Aug 17 16:49:49 2001 (3B7D836D)
bae70000 bae70d00 pciide pciide.sys Fri Aug 17 16:51:49 2001 (3B7D83E5)
baf1d000 baf1dc00 audstub audstub.sys Fri Aug 17 16:59:40 2001 (3B7D85BC)
baf7d000 baf7db80 Null Null.SYS Fri Aug 17 16:47:39 2001 (3B7D82EB)
baf7f000 baf7ff80 avgclean avgclean.sys Mon Aug 21 18:55:15 2006 (44EA39D3)
baf9f000 baf9fd00 dxgthk dxgthk.sys Fri Aug 17 16:53:12 2001 (3B7D8438)
bf800000 bf9c1180 win32k win32k.sys Wed Oct 05 20:05:44 2005 (43446A58)
bf9c2000 bf9d3580 dxg dxg.sys Wed Aug 04 02:00:51 2004 (41107B93)
bf9d4000 bff4c900 nv4_disp nv4_disp.dll Fri Nov 17 03:10:02 2006 (455D6E5A)

Unloaded modules:
b2e65000 b2e90000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b4b57000 b4b82000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
baf5f000 baf60000 drmkaud.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b4d72000 b4d7f000 DMusic.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b4f1a000 b4f28000 swmidi.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b4b82000 b4ba5000 aec.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
badce000 badd0000 splitter.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba9c8000 ba9d1000 processr.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba9b8000 ba9c8000 serial.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba4e9000 ba4ed000 kbdhid.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba978000 ba985000 i8042prt.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
bac78000 bac7d000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
ba4f1000 ba4f4000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:\debuglog.txt

Please help me with this problem. Thanks!!

 

Your system choked when Windows Defender was trying to remove a very nasty malware on your system, C:\Windows\System32:lzx32.sys

This particular nasty uses Rootkits.

This question is better handled in the Spyware and Malware Removal forum.

MODS -- Please move.

If they do not see the request for the thread move, read the Sticky note at the top of the subforum, and then post there, referencing this original thread.
http://www.windowsbbs.com/forumdisplay.php?f=41

Best of luck.

 

Welcome to the forums jsmedina.

As Bill so properly indicated this is a root kit issue. We'll need you to run HJT so we can get a better look at the system. While this is not likely to show the rootkit, it may show other bits of malware as rootkits usually hide within other bundled malware.

Please download and install HijacjkThis! as instructed below.

HiJackThis v1.99.1 zip.
Download the zip file to your desktop, then create a new folder on your C drive, called 'HJT' or 'HijackThis'. Then unzip the files to the new folder. In this way when you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Run the program, and press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Save the log and Post that log onto this topic. DO NOT DELETE or modify anything yet, as some of it is needed to keep your system in proper working order

 

Hi JS

After you get the HJT log posted.

Would be nice if you had WinPE repair disk such as Ultimate BootCD Win.

Do this:

Download the following

http://majorgeeks.com/downloadget.php?id=5156&file=15&evp=a398348782dc4a215a61e05819e7ec06

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

This site has several Rootkit cleaners at least get the Bitdefender.
http://liveammo.blogspot.com/2006/08/collection-of-rootkit-removal-tools.html

http://www.ezpcfix.net/html/download.htm

Here are the steps:

Get to repair console and delete the obvious: delete the lzx32.sys

then do not allow to boot full mode but go to safe mode

Clear all temps

Run at least 3 (what one misses the other may get) of the above back to back.

Only then reboot to normal.

Mike

 

The following are ineffective in detecting system32:lzx32.sys:

RootkitRevealer
BlackLight
Rkdetector
gmer.exe
endoscope.EXE
DarkSpy
Anti-Rootkit

http://www.sarc.com/avcenter/venc/data/backdoor.rustock.b.html

These include all the suggestions above.

Under expert hands you can use GMER to remove the root kit.

Note that lzx32.sys is in an ADS stream, and not a conventional directory. The notion that you can directly delete it, even under a PE environment, is just not true.

Also, and importantly, lzx32.sys is a symptom and not the cause. There are a few steps still needed to be done to effectively handle this nasty.

Let TeMerc handle this.

 

Here's my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:50:05 PM, on 12/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RssReader\RssReader.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Power Grab 2002\POWRGRAB.EXE
C:\Program Files\BOINC\projects\spin.fh-bielefeld.de\metropolis_2.42_windows_intelx86.exe
C:\Program Files\BOINC\projects\dist.ist.tugraz.at_cape5\tcape-crossing_5.49_windows_intelx86.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: DIMES-Agent.lnk = C:\Program Files\DIMES\Agent\DimesDelayedLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166344555375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166344624046
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: khfgggd - khfgggd.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

Ok, lets run ComboFix and see what else it finds along with this rootkit. Then it's likely we'll be running GMER.

Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

 

I had to cut the combofix log in half, forun said it was too big.

Here's part 1

John S. Medina - 06-12-30 2:57:05.35 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\John S. Medina\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{3C6DFDB7-08A2-1033-0919-060523060001}


((((((((((((((((((((((((((((((( Files Created from 2006-11-30 to 2006-12-30 ))))))))))))))))))))))))))))))))))


2006-12-30 01:57 <DIR> d-------- C:\WINDOWS\Temporary Internet Files
2006-12-30 01:57 <DIR> d-------- C:\WINDOWS\Temp
2006-12-30 01:57 <DIR> d-------- C:\WINDOWS\Recent
2006-12-30 01:57 <DIR> d-------- C:\WINDOWS\Prefetch
2006-12-30 01:57 <DIR> d-------- C:\WINDOWS\History
2006-12-30 01:57 <DIR> d-------- C:\System Volume Information
2006-12-30 01:57 <DIR> d-------- C:\Documents and Settings\All Users\Recent
2006-12-30 01:56 <DIR> d-------- C:\Program Files\Softwin
2006-12-29 13:46 <DIR> d-------- C:\HJT
2006-12-29 05:09 <DIR> d-------- C:\symbols
2006-12-29 05:09 <DIR> d-------- C:\Program Files\Debugging Tools for Windows
2006-12-29 04:42 <DIR> d-------- C:\Program Files\Support Tools
2006-12-28 02:12 <DIR> d-------- C:\Program Files\a-squared Free
2006-12-28 02:09 <DIR> d-------- C:\Program Files\Windows Defender
2006-12-28 02:05 <DIR> dr-h----- C:\Documents and Settings\John S. Medina\Recent
2006-12-28 02:00 <DIR> d-------- C:\Program Files\CCleaner
2006-12-27 05:18 <DIR> d-------- C:\Documents and Settings\John S. Medina\Application Data\Help
2006-12-27 03:16 <DIR> d-------- C:\Documents and Settings\John S. Medina\Application Data\vlc
2006-12-27 03:15 <DIR> d-------- C:\Program Files\VideoLAN
2006-12-26 14:50 <DIR> d-------- C:\WINDOWS\Minidump
2006-12-24 05:23 930 --a------ C:\WINDOWS\system32\winpfz32.sys
2006-12-24 05:23 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-12-24 05:17 <DIR> d-------- C:\Program Files\Alcohol Soft
2006-12-24 05:15 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-12-24 05:14 <DIR> d-------- C:\Program Files\QuickPar
2006-12-24 05:12 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-24 04:13 <DIR> d-------- C:\Documents and Settings\John S. Medina\DoctorWeb
2006-12-24 03:53 2,560 --a------ C:\WINDOWS\system32\unsvchosts.exe
2006-12-24 02:43 <DIR> d-------- C:\Program Files\PinMAME
2006-12-23 05:52 790,090 ---hs---- C:\WINDOWS\system32\wycdd.bak2
2006-12-23 05:33 790,090 ---hs---- C:\WINDOWS\system32\wycdd.bak1
2006-12-23 05:20 22,541 ---hs---- C:\WINDOWS\system32\nnnonnm.dll
2006-12-23 05:20 <DIR> dr-h----- C:\$VAULT$.AVG
2006-12-22 02:17 <DIR> d-------- C:\Program Files\uTorrent
2006-12-22 02:17 <DIR> d-------- C:\Documents and Settings\John S. Medina\Application Data\uTorrent
2006-12-22 02:14 <DIR> d-------- C:\Program Files\MESS
2006-12-22 02:13 <DIR> d-------- C:\Program Files\TorrentZip
2006-12-22 01:50 <DIR> d-------- C:\Program Files\MAME
2006-12-20 22:38 36,736 --a------ C:\WINDOWS\system32\drivers\ultra.sys
2006-12-20 19:17 <DIR> d-------- C:\Documents and Settings\John S. Medina\Application Data\Apple Computer
2006-12-20 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-12-20 19:12 <DIR> d-------- C:\Program Files\QuickTime
2006-12-19 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-19 20:12 327,168 --a------ C:\WINDOWS\IsUninst.exe
2006-12-19 19:03 <DIR> d-------- C:\Program Files\Power Grab 2002
2006-12-19 19:02 <DIR> d-------- C:\Program Files\GoodMerge
2006-12-19 18:59 <DIR> d-------- C:\Program Files\GoodGUI
2006-12-19 18:56 <DIR> d-------- C:\Program Files\clrmamepro
2006-12-19 18:52 <DIR> d-------- C:\Program Files\Adobe
2006-12-19 18:52 <DIR> d-------- C:\Documents and Settings\John S. Medina\Application Data\Adobe
2006-12-19 18:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-12-19 18:48 <DIR> d-------- C:\Program Files\Common Files\Adobe
2006-12-19 12:07 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2006-12-19 12:07 <DIR> d-------- C:\Program Files\EA GAMES
2006-12-19 11:56 10,752 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-12-19 11:52 94,080 --a------ C:\WINDOWS\system32\drivers\ezplay.sys
2006-12-19 11:52 94,080 --a------ C:\Documents and Settings\John S. Medina\Application Data\ezplay.sys
2006-12-19 11:52 87,608 --a------ C:\Documents and Settings\John S. Medina\Application Data\ezpinst.exe
2006-12-19 11:52 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2006-12-19 11:52 47,360 --a------ C:\Documents and Settings\John S. Medina\Application Data\pcouffin.sys
2006-12-19 11:52 <DIR> d-------- C:\Program Files\VSO
2006-12-19 11:52 <DIR> d-------- C:\Documents and Settings\John S. Medina\Application Data\Vso
2006-12-19 11:44 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-19 11:41 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-19 11:41 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-19 11:41 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-19 11:41 <DIR> d-------- C:\Documents and Settings\John S. Medina\Application Data\AVG7
2006-12-19 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-19 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2006-12-19 11:30 <DIR> d-------- C:\Documents and Settings\John S. Medina\Application Data\Ahead
2006-12-19 11:29 <DIR> d-------- C:\Program Files\Nero
2006-12-19 11:29 <DIR> d-------- C:\Program Files\Common Files\Ahead
2006-12-19 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2006-12-19 06:05 442,368 --a------ C:\WINDOWS\system32\CapabilityTable.exe
2006-12-19 06:04 208,896 --a------ C:\WINDOWS\system32\nvusmb.exe
2006-12-19 06:04 208,896 --a------ C:\WINDOWS\system32\nvunrm.exe
2006-12-19 06:04 208,896 --------- C:\WINDOWS\system32\nvuide.exe
2006-12-19 06:04 109,568 --a------ C:\WINDOWS\system32\drivers\nvtcp.sys
2006-12-19 05:34 <DIR> d-------- C:\WINDOWS\NV23242452.TMP
2006-12-19 05:30 <DIR> d-------- C:\Program Files\WinRAR
2006-12-19 05:09 <DIR> d-------- C:\Program Files\eMule
2006-12-18 02:51 <DIR> d-------- C:\Documents and Settings\John S. Medina\Application Data\OfficeUpdate12
2006-12-18 02:48 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2006-12-18 02:47 <DIR> d-------- C:\Program Files\MSBuild
2006-12-18 02:47 <DIR> d-------- C:\Program Files\Microsoft.NET
2006-12-18 02:47 <DIR> d-------- C:\Program Files\Microsoft Works
2006-12-18 02:47 <DIR> d-------- C:\Program Files\Microsoft Visual Studio
2006-12-18 02:47 <DIR> d-------- C:\Program Files\Common Files\DESIGNER
2006-12-18 02:45 <DIR> d-------- C:\WINDOWS\SHELLNEW
2006-12-18 02:45 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2006-12-18 02:44 <DIR> dr-h----- C:\MSOCache
2006-12-18 02:44 <DIR> d-------- C:\Program Files\Microsoft Office
2006-12-18 02:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2006-12-18 02:35 <DIR> d-------- C:\Program Files\Microsoft Streets & Trips
2006-12-18 02:35 <DIR> d-------- C:\Program Files\Microsoft Location Finder
2006-12-18 02:23 <DIR> d-------- C:\Program Files\RssReader
2006-12-18 02:14 <DIR> d-------- C:\Program Files\Microsoft Money 2007
2006-12-18 02:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2006-12-18 02:07 <DIR> d-------- C:\WINDOWS\system32\windows media
2006-12-18 01:40 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2006-12-18 01:40 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys
2006-12-18 01:40 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2006-12-18 01:40 262,144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-12-18 01:40 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2006-12-18 01:40 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2006-12-18 01:30 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2006-12-17 05:53 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2006-12-17 05:48 <DIR> d-------- C:\Program Files\DIMES
2006-12-17 05:48 <DIR> d-------- C:\Documents and Settings\John S. Medina\.netgraph
2006-12-17 05:03 <DIR> d-------- C:\WINDOWS\Sun
2006-12-17 05:03 <DIR> d-------- C:\Program Files\Java
2006-12-17 05:03 <DIR> d-------- C:\Documents and Settings\John S. Medina\Application Data\Sun
2006-12-17 05:01 <DIR> d-------- C:\Program Files\Common Files\Java
2006-12-17 04:50 43,136 --a------ C:\WINDOWS\system32\drivers\sbp2port.sys
2006-12-17 04:49 94,208 -ra------ C:\WINDOWS\system32\HPZipt12.dll
2006-12-17 04:49 65,795 -ra------ C:\WINDOWS\system32\HPZipm12.exe
2006-12-17 04:49 61,699 -ra------ C:\WINDOWS\system32\HPZinw12.exe
2006-12-17 04:49 57,344 -ra------ C:\WINDOWS\system32\HPZisn12.dll
2006-12-17 04:49 51,056 -ra------ C:\WINDOWS\system32\drivers\hpzid412.sys
2006-12-17 04:49 266,296 -ra------ C:\WINDOWS\system32\HPZidr12.dll
2006-12-17 04:49 196,608 -ra------ C:\WINDOWS\system32\HPZipr12.dll
2006-12-17 04:49 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2006-12-17 04:46 82,432 -ra------ C:\WINDOWS\system32\MSXML4r.dll
2006-12-17 04:46 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2006-12-17 04:46 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2006-12-17 04:46 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2006-12-17 04:46 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2006-12-17 04:41 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2006-12-17 04:41 <DIR> d-------- C:\Program Files\BOINC
2006-12-17 04:40 208,896 --a------ C:\WINDOWS\system32\hpzcoi09.dll
2006-12-17 04:19 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-12-17 04:14 <DIR> d-------- C:\WINDOWS\WBEM
2006-12-17 04:13 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-12-17 04:13 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-12-17 04:13 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-12-17 04:11 <DIR> d-------- C:\WINDOWS\system32\DRM
2006-12-17 04:11 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2006-12-17 04:10 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-12-17 04:10 <DIR> d-------- C:\WINDOWS\system32\en-us
2006-12-17 04:10 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2006-12-17 04:06 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2006-12-17 04:04 <DIR> dr--s---- C:\WINDOWS\assembly
2006-12-17 04:04 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2006-12-17 04:04 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2006-12-17 03:58 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2006-12-17 03:58 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2006-12-17 03:58 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2006-12-17 03:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-12-17 03:39 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-12-17 03:39 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-12-17 03:36 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-12-17 03:36 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-12-17 02:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2006-12-17 02:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2006-12-17 02:52 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2006-12-17 02:52 <DIR> d-------- C:\WINDOWS\nview
2006-12-17 02:51 5,756,928 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2006-12-17 02:51 5,736,704 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-12-17 02:47 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-12-17 02:47 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-12-17 02:47 <DIR> d-------- C:\Program Files\Grisoft
2006-12-17 02:43 <DIR> d-------- C:\Documents and Settings\John S. Medina\Application Data\Macromedia
2006-12-17 02:42 <DIR> d--hs---- C:\RECYCLER
2006-12-17 02:35 <DIR> d--hs---- C:\Documents and Settings\John S. Medina\UserData
2006-12-17 02:27 6,912 -ra------ C:\WINDOWS\system32\drivers\JGOGO.sys
2006-12-17 02:27 43,264 -ra------ C:\WINDOWS\system32\drivers\jraid.sys
2006-12-17 02:27 385,024 -r------- C:\WINDOWS\system32\JMRaidTool.exe
2006-12-17 02:27 <DIR> d-------- C:\WINDOWS\system32\Lang
2006-12-17 02:27 <DIR> d-------- C:\WINDOWS\JM
2006-12-17 02:25 9,709,568 -r------- C:\WINDOWS\RTLCPL.exe
2006-12-17 02:25 86,016 -r------- C:\WINDOWS\SoundMan.exe
2006-12-17 02:25 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-12-17 02:25 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2006-12-17 02:25 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2006-12-17 02:25 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-12-17 02:25 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-12-17 02:25 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-12-17 02:25 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-12-17 02:25 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-12-17 02:25 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2006-12-17 02:25 487,424 -r------- C:\WINDOWS\RtlExUpd.dll
2006-12-17 02:25 40,960 -r------- C:\WINDOWS\system32\ChCfg.exe
2006-12-17 02:25 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2006-12-17 02:25 4,279,296 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.Sys
2006-12-17 02:25 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-12-17 02:25 364,544 -r------- C:\WINDOWS\RtlUpd.exe
2006-12-17 02:25 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-12-17 02:25 2,879,488 -r------- C:\WINDOWS\SkyTel.exe
2006-12-17 02:25 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2006-12-17 02:25 2,158,592 -r------- C:\WINDOWS\MicCal.exe
2006-12-17 02:25 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-12-17 02:25 16,208,384 -r------- C:\WINDOWS\RTHDCPL.exe
2006-12-17 02:25 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-12-17 02:25 135,168 -r------- C:\WINDOWS\system32\RtlCPAPI.dll
2006-12-17 02:25 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2006-12-17 02:25 <DIR> d-------- C:\Program Files\Realtek
2006-12-17 02:24 36,352 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2006-12-17 02:24 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-12-17 02:24 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2006-12-17 02:24 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2006-12-17 02:24 <DIR> d-------- C:\Program Files\AMD
2006-12-17 02:23 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2006-12-17 02:23 159,232 --a------ C:\WINDOWS\system32\fdco_l1036.dll
2006-12-17 02:23 159,232 --a------ C:\WINDOWS\system32\fdco_l1034.dll
2006-12-17 02:23 159,232 --a------ C:\WINDOWS\system32\fdco_l1031.dll
2006-12-17 02:23 158,720 --a------ C:\WINDOWS\system32\fdco_l1046.dll
2006-12-17 02:23 158,720 --a------ C:\WINDOWS\system32\fdco_l1040.dll
2006-12-17 02:23 156,672 --a------ C:\WINDOWS\system32\fdco_l1042.dll
2006-12-17 02:23 156,672 --a------ C:\WINDOWS\system32\fdco_l1041.dll
2006-12-17 02:23 155,648 --a------ C:\WINDOWS\system32\fdco_l1028.dll
2006-12-17 02:23 155,136 --a------ C:\WINDOWS\system32\fdco_l2052.dll
2006-12-17 02:23 10,240 --a------ C:\WINDOWS\system32\bdco1ins.dll
2006-12-17 02:23 <DIR> d-------- C:\WINDOWS\NV10841068.TMP
2006-12-17 02:23 <DIR> d-------- C:\Program Files\Common Files\InstallShield

 

Here's part 2:

2006-12-17 02:18 <DIR> dr-h----- C:\Documents and Settings\John S. Medina\SendTo
2006-12-17 02:18 <DIR> dr-h----- C:\Documents and Settings\John S. Medina\Application Data\.
2006-12-17 02:18 <DIR> dr-h----- C:\Documents and Settings\John S. Medina\Application Data
2006-12-17 02:18 <DIR> dr------- C:\Documents and Settings\John S. Medina\Start Menu
2006-12-17 02:18 <DIR> dr------- C:\Documents and Settings\John S. Medina\My Documents
2006-12-17 02:18 <DIR> dr------- C:\Documents and Settings\John S. Medina\Favorites
2006-12-17 02:18 <DIR> d--hs---- C:\Documents and Settings\John S. Medina\Cookies
2006-12-17 02:18 <DIR> d--h----- C:\Program Files\Uninstall Information
2006-12-17 02:18 <DIR> d--h----- C:\Documents and Settings\John S. Medina\Templates
2006-12-17 02:18 <DIR> d--h----- C:\Documents and Settings\John S. Medina\PrintHood
2006-12-17 02:18 <DIR> d--h----- C:\Documents and Settings\John S. Medina\NetHood
2006-12-17 02:18 <DIR> d--h----- C:\Documents and Settings\John S. Medina\Local Settings
2006-12-17 02:18 <DIR> d---s---- C:\Documents and Settings\John S. Medina\Application Data\Microsoft
2006-12-17 02:18 <DIR> d-------- C:\Documents and Settings\John S. Medina\Desktop
2006-12-17 02:18 <DIR> d-------- C:\Documents and Settings\John S. Medina\Application Data\Identities
2006-12-17 02:18 <DIR> d-------- C:\Documents and Settings\John S. Medina\Application Data\..
2006-12-17 02:18 <DIR> d-------- C:\Documents and Settings\John S. Medina\..
2006-12-17 02:18 <DIR> d-------- C:\Documents and Settings\John S. Medina\.
2006-12-17 02:15 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2006-12-17 02:15 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2006-12-17 02:13 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2006-12-17 02:13 0 -rahs---- C:\MSDOS.SYS
2006-12-17 02:13 0 -rahs---- C:\IO.SYS
2006-12-17 02:13 0 --a------ C:\CONFIG.SYS
2006-12-17 02:13 0 --a------ C:\AUTOEXEC.BAT
2006-12-17 02:13 <DIR> d-------- C:\WINDOWS\system32\xircom
2006-12-17 02:13 <DIR> d-------- C:\Program Files\xerox
2006-12-17 02:13 <DIR> d-------- C:\Program Files\microsoft frontpage
2006-12-17 02:12 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2006-12-17 02:12 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2006-12-17 02:12 <DIR> d--h----- C:\Program Files\WindowsUpdate
2006-12-17 02:12 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2006-12-17 02:11 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2006-12-17 02:11 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2006-12-17 02:11 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2006-12-17 02:11 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-12-17 02:11 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-12-17 02:11 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-12-17 02:11 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2006-12-17 02:11 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-12-17 02:11 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-12-17 02:11 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2006-12-17 02:11 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-12-17 02:11 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2006-12-17 02:11 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-12-17 02:11 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-12-17 02:11 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2006-12-17 02:11 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2006-12-17 02:11 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-12-17 02:11 <DIR> d---s---- C:\WINDOWS\Tasks
2006-12-17 02:11 <DIR> d-------- C:\WINDOWS\system32\Macromed
2006-12-17 02:11 <DIR> d-------- C:\WINDOWS\system32\DirectX
2006-12-17 02:11 <DIR> d-------- C:\WINDOWS\srchasst
2006-12-17 02:11 <DIR> d-------- C:\Program Files\Movie Maker
2006-12-17 02:11 <DIR> d-------- C:\Program Files\Common Files\Services
2006-12-17 02:11 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2006-12-17 02:10 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2006-12-17 02:10 81,920 --a------ C:\WINDOWS\system32\ils.dll
2006-12-17 02:10 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2006-12-17 02:10 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2006-12-17 02:10 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2006-12-17 02:10 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-12-17 02:10 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2006-12-17 02:10 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2006-12-17 02:10 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2006-12-17 02:10 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2006-12-17 02:10 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2006-12-17 02:10 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2006-12-17 02:10 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-12-17 02:10 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-12-17 02:10 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2006-12-17 02:10 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2006-12-17 02:10 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2006-12-17 02:10 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2006-12-17 02:10 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2006-12-17 02:10 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2006-12-17 02:10 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2006-12-17 02:10 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-12-17 02:10 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-12-17 02:10 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2006-12-17 02:10 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-12-17 02:10 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-12-17 02:10 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2006-12-17 02:10 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2006-12-17 02:10 <DIR> d-------- C:\WINDOWS\system32\Restore
2006-12-17 02:10 <DIR> d-------- C:\WINDOWS\Registration
2006-12-17 02:10 <DIR> d-------- C:\Program Files\Outlook Express
2006-12-17 02:10 <DIR> d-------- C:\Program Files\NetMeeting
2006-12-17 02:10 <DIR> d-------- C:\Program Files\Internet Explorer
2006-12-17 02:10 <DIR> d-------- C:\Program Files\ComPlus Applications
2006-12-17 02:10 <DIR> d-------- C:\Program Files\Common Files\System
2006-12-17 02:09 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2006-12-17 02:09 9,728 --a------ C:\WINDOWS\system32\reset.exe
2006-12-17 02:09 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2006-12-17 02:09 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2006-12-17 02:09 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2006-12-17 02:09 56,832 --a------ C:\WINDOWS\system32\sol.exe
2006-12-17 02:09 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2006-12-17 02:09 54,272 --a------ C:\WINDOWS\system32\stclient.dll
2006-12-17 02:09 5,632 --a------ C:\WINDOWS\system32\write.exe
2006-12-17 02:09 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2006-12-17 02:09 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2006-12-17 02:09 4,096 --a------ C:\WINDOWS\system32\rdpcfgex.dll
2006-12-17 02:09 4,096 --a------ C:\WINDOWS\system32\mtxex.dll
2006-12-17 02:09 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2006-12-17 02:09 33,792 --a------ C:\WINDOWS\system32\regini.exe
2006-12-17 02:09 25,600 --a------ C:\WINDOWS\system32\comaddin.dll
2006-12-17 02:09 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll
2006-12-17 02:09 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2006-12-17 02:09 22,016 --a------ C:\WINDOWS\system32\qwinsta.exe
2006-12-17 02:09 20,992 --a------ C:\WINDOWS\system32\msg.exe
2006-12-17 02:09 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll
2006-12-17 02:09 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2006-12-17 02:09 16,896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2006-12-17 02:09 16,896 --a------ C:\WINDOWS\system32\qappsrv.exe
2006-12-17 02:09 16,384 --a------ C:\WINDOWS\system32\tskill.exe
2006-12-17 02:09 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2006-12-17 02:09 15,872 --a------ C:\WINDOWS\system32\rwinsta.exe
2006-12-17 02:09 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll
2006-12-17 02:09 15,360 --a------ C:\WINDOWS\system32\logoff.exe
2006-12-17 02:09 147,456 --a------ C:\WINDOWS\system32\comsnap.dll
2006-12-17 02:09 14,848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2006-12-17 02:09 14,848 --a------ C:\WINDOWS\system32\tscon.exe
2006-12-17 02:09 14,848 --a------ C:\WINDOWS\system32\shadow.exe
2006-12-17 02:09 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2006-12-17 02:09 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2006-12-17 02:09 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2006-12-17 02:09 114,688 --a------ C:\WINDOWS\system32\calc.exe
2006-12-17 02:09 1,161 --a------ C:\WINDOWS\system32\usrlogon.cmd
2006-12-17 02:09 <DIR> d-------- C:\Program Files\Windows Media Player
2006-12-17 02:09 <DIR> d-------- C:\Program Files\MSN Gaming Zone
2006-12-17 02:09 <DIR> d-------- C:\Program Files\Messenger
2006-12-17 02:08 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-12-17 02:08 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2006-12-17 02:08 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-12-17 02:08 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2006-12-17 02:08 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2006-12-17 02:08 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2006-12-17 02:08 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-12-17 02:08 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-12-17 02:08 600,576 --a------ C:\WINDOWS\system32\mstsc.exe
2006-12-17 02:08 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2006-12-17 02:08 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2006-12-17 02:08 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-12-17 02:08 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2006-12-17 02:08 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2006-12-17 02:08 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2006-12-17 02:08 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-12-17 02:08 538,624 --a------ C:\WINDOWS\system32\spider.exe
2006-12-17 02:08 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-12-17 02:08 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-12-17 02:08 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-12-17 02:08 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2006-12-17 02:08 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2006-12-17 02:08 347,136 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-12-17 02:08 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2006-12-17 02:08 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2006-12-17 02:08 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2006-12-17 02:08 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2006-12-17 02:08 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2006-12-17 02:08 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2006-12-17 02:08 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2006-12-17 02:08 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2006-12-17 02:08 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2006-12-17 02:08 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-12-17 02:08 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2006-12-17 02:08 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-12-17 02:08 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2006-12-17 02:08 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-12-17 02:08 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-12-17 02:08 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2006-12-17 02:08 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2006-12-17 02:08 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-12-17 02:08 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-12-17 02:08 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2006-12-17 02:08 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-12-17 02:08 1,866,240 --a------ C:\WINDOWS\system32\mstscax.dll
2006-12-17 02:08 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-12-17 02:08 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2006-12-17 02:08 <DIR> d-------- C:\WINDOWS\system32\Com
2006-12-17 02:08 <DIR> d-------- C:\Program Files\Windows NT
2006-12-16 21:07 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2006-12-16 21:06 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2006-12-16 21:06 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-12-16 21:06 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-12-16 21:05 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2006-12-16 21:05 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2006-12-16 21:03 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL
2006-12-16 21:03 9,008 --a------ C:\WINDOWS\system\VER.DLL
2006-12-16 21:03 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2006-12-16 21:03 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2006-12-16 21:03 8,704 --a------ C:\WINDOWS\system32\batt.dll
2006-12-16 21:03 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2006-12-16 21:03 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2006-12-16 21:03 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2006-12-16 21:03 69,584 --a------ C:\WINDOWS\system\AVICAP.DLL
2006-12-16 21:03 69,120 --a------ C:\WINDOWS\NOTEPAD.EXE
2006-12-16 21:03 68,768 --a------ C:\WINDOWS\system\MMSYSTEM.DLL
2006-12-16 21:03 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll
2006-12-16 21:03 6,656 -ra------ C:\WINDOWS\system32\kbdsl1.dll
2006-12-16 21:03 6,656 -ra------ C:\WINDOWS\system32\kbdsl.dll
2006-12-16 21:03 6,656 -ra------ C:\WINDOWS\system32\kbdpl.dll
2006-12-16 21:03 6,656 -ra------ C:\WINDOWS\system32\kbdhu.dll
2006-12-16 21:03 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll
2006-12-16 21:03 6,656 -ra------ C:\WINDOWS\system32\kbdcz2.dll
2006-12-16 21:03 6,656 -ra------ C:\WINDOWS\system32\kbdcz1.dll
2006-12-16 21:03 6,656 -ra------ C:\WINDOWS\system32\kbdcr.dll
2006-12-16 21:03 6,656 -ra------ C:\WINDOWS\system32\KBDAL.DLL
2006-12-16 21:03 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll
2006-12-16 21:03 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll
2006-12-16 21:03 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll
2006-12-16 21:03 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll
2006-12-16 21:03 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll
2006-12-16 21:03 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll
2006-12-16 21:03 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdycc.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbduzb.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdur.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdtat.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdru1.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdru.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdro.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdpl1.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdkaz.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdhu1.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdbu.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdblr.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll
2006-12-16 21:03 5,632 -ra------ C:\WINDOWS\system32\kbdaze.dll
2006-12-16 21:03 5,120 --a------ C:\WINDOWS\system\SHELL.DLL
2006-12-16 21:03 32,816 --a------ C:\WINDOWS\system\COMMDLG.DLL
2006-12-16 21:03 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-12-16 21:03 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL
2006-12-16 21:03 19,200 --a------ C:\WINDOWS\system\TAPI.DLL
2006-12-16 21:03 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll
2006-12-16 21:03 15,360 --a------ C:\WINDOWS\TASKMAN.EXE
2006-12-16 21:03 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-12-16 21:03 126,912 --a------ C:\WINDOWS\system\MSVIDEO.DLL
2006-12-16 21:03 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2006-12-16 21:03 109,456 --a------ C:\WINDOWS\system\AVIFILE.DLL
2006-12-16 21:03 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll
2006-12-16 21:03 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\.
2006-12-16 21:03 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data
2006-12-16 21:03 <DIR> dr------- C:\Program Files\Common Files\..
2006-12-16 21:03 <DIR> dr------- C:\Program Files\.
2006-12-16 21:03 <DIR> dr------- C:\Program Files
2006-12-16 21:03 <DIR> dr------- C:\Documents and Settings\All Users\Start Menu
2006-12-16 21:03 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2006-12-16 21:03 <DIR> d--hs---- C:\WINDOWS\Installer
2006-12-16 21:03 <DIR> d--hs---- C:\Program Files\..
2006-12-16 21:03 <DIR> d--h----- C:\Documents and Settings\All Users\Templates
2006-12-16 21:03 <DIR> d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2006-12-16 21:03 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2006-12-16 21:03 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2006-12-16 21:03 <DIR> d-------- C:\Program Files\Common Files\SpeechEngines
2006-12-16 21:03 <DIR> d-------- C:\Program Files\Common Files\ODBC
2006-12-16 21:03 <DIR> d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-16 21:03 <DIR> d-------- C:\Program Files\Common Files\.
2006-12-16 21:03 <DIR> d-------- C:\Program Files\Common Files
2006-12-16 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Favorites
2006-12-16 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Desktop
2006-12-16 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\..
2006-12-16 21:02 <DIR> d-------- C:\Documents and Settings\All Users\..
2006-12-16 21:02 <DIR> d-------- C:\Documents and Settings\All Users\.
2006-12-16 21:02 <DIR> d-------- C:\Documents and Settings
2006-12-16 20:55 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2006-12-16 20:55 <DIR> dr--s---- C:\WINDOWS\Fonts
2006-12-16 20:55 <DIR> dr------- C:\WINDOWS\Web
2006-12-16 20:55 <DIR> d-a------ C:\WINDOWS\system32\drivers\..
2006-12-16 20:55 <DIR> d-a------ C:\WINDOWS\system32\.
2006-12-16 20:55 <DIR> d-a------ C:\WINDOWS\system32
2006-12-16 20:55 <DIR> d--hs---- C:\WINDOWS\..
2006-12-16 20:55 <DIR> d--h----- C:\WINDOWS\inf
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\WinSxS
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\twain_32
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\wins
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\wbem
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\usmt
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\spool
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\ShellExt
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\Setup
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\ras
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\oobe
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\npp
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\mui
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\inetsrv
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\IME
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\icsxml
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\ias
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\export
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\drivers\etc
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\drivers\disdn
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\drivers\.
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\drivers
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\dhcp
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\config
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\3com_dmi
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\3076
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\2052
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\1054
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\1042
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\1041
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\1037
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\1033
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\1031
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\1028
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\1025
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system32\..
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system\..
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system\.
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\system
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\security
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\Resources
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\repair
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\Provisioning
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\PeerNet
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\pchealth
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\mui
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\msapps
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\msagent
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\Media
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\java
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\ime
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\Help
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\Driver Cache
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\Debug
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\Cursors
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\Connection Wizard
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\Config
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\AppPatch
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\addins
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS\.
2006-12-16 20:55 <DIR> d-------- C:\WINDOWS
2006-12-13 00:27 262,144 --a------ C:\WINDOWS\boinc.scr


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))




(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"RssReader "= "C:\\Program Files\\RssReader\\RssReader.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP "
"KernelFaultCheck "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,e2,03,\
00,00,04,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,e2,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "= "Groove GFS Stub Execution Hook "
"{3FC4CAA7-71B5-44FC-A516-61D2AC9EF30D} "=" "
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"NoRun "=dword:00000000
"NoClose "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
"WPDShServiceObj "= "{AAA288BA-9A4C-45B0-95D7-94D524869DB5} "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgggd

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#7600#MY3AL310DBK3.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-12-30 2:57:32.96
C:\ComboFix.txt ... 06-12-30 02:57

 

TeMerc

At what you see is the best point in your process consider the following.

The listed rootkit cleaners are not documented to specifically clean this issue
but due to the Huristics built into them they very well could.

I have fixed this before on a clients system on multiple computers.

But! I am always after the fix the first time thru so I shotguned it with multiple fixes.

In repair console I deleted all the known bad dll's and cleared all the temps. The logic is that even if you don't have the tool that directly kills/cleans this culprit that by deleteing parts of it that you throw it off balance (so to speak) so that more conventional methods will work.

So I reccomend doing this cleanup in repair console.

Additionally I would run multiple rootkit cleaners.

There is one rootkit cleaner that is documented to get a version of this culprit.

Along with the other Rootkt cleaners Consider:

Rootkit unhooker http://www.rku.xell.ru/?l=e&a=dl

Good luck

Mike

 

@mflynn:
I have removed this rootkit numerous times, very simply and easily from my own machine with noting more than GMER. Thanks for the info tho.

 

10-4

If you had mentioned 1st thing you were familiar with this one and had handled it before I would have never posted the first time.

Good day,

Mike

 

Well it looks as tho the ComboFix tool didn't pick up the lzx rk, it usually does as do several other tools.

Lets get a GMER log and I see some Vundo files in here as well, so lets run Vundo Fix too.

Download GMER from here

• Right Click the Zip and Select "Extract All "
• Double-click gmer.exe to launch the program. (If you get an immediate message about rootkit activity, ignore and proceed with instructuions please)
• Click on the Rootkit Tab and on the right side, untick the Registry box, then click Scan.

Once the scan is done, hit the copy button, then open notepad and paste the results here for me to see.


Please download VundoFix.exe to your desktop.

• Double-click *VundoFix.exe* to run it.
• Click the *Scan for Vundo* button.
• Once it's done scanning, click the *Remove Vundo* button.
• You will receive a prompt asking if you want to remove the files, click *YES*
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click *OK*.
• Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.

 

I cannot download GMER, the web page seems to be down. But I will run vundofix and post the results.

 

Here are my log files.

VundoFix V6.2.6

Checking Java version...

Scan started at 1:59:15 AM 12/31/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...


and HJT

Logfile of HijackThis v1.99.1
Scan saved at 2:03:05 AM, on 12/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\RssReader\RssReader.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: DIMES-Agent.lnk = C:\Program Files\DIMES\Agent\DimesDelayedLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166344555375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166344624046
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: khfgggd - khfgggd.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

The GMER sites are under DDoS attacks for the last week. Use this link and choose a USA-based site: http://www.majorgeeks.com/GMER_d5198.html

Then continue with TeMerc's instuctions earlier exactly as written.

You really want to stay on top of this, as since your last HJT log you have added a Look2Me infection.
O20 - Winlogon Notify: khfgggd - khfgggd.dll (file missing)

 

Darnit......I was reminded about that too, the bad link, tho the site is actually up and running again, but sporadicly. My apologies and thanks to Bill fro dropping the alternate link.

 

Here's my GMER log part 1:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-31 02:58:47
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Kernel code sections - GMER 1.0.12 ----

PAGE ntkrnlpa.exe!NtOpenThread + 6 805C9ED8 4 Bytes [ 1A, FB, 5C, 3A ]
.text USBPORT.SYS!DllUnload B9F1062C 5 Bytes JMP 89D5B740

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 89DDB1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 89DDB1D8
Device \Driver\00000044 \Device\00000041 IRP_MJ_POWER [BA6DFD74] sptd.sys
Device \Driver\00000044 \Device\00000041 IRP_MJ_SYSTEM_CONTROL [BA6F92A2] sptd.sys
Device \Driver\00000044 \Device\00000041 IRP_MJ_PNP [BA6FA228] sptd.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{A003B472-5594-42B6-BE01-7E8A226B5B3B} IRP_MJ_CREATE 89A97980
Device \Driver\NetBT \Device\NetBT_Tcpip_{A003B472-5594-42B6-BE01-7E8A226B5B3B} IRP_MJ_CLOSE 89A97980
Device \Driver\NetBT \Device\NetBT_Tcpip_{A003B472-5594-42B6-BE01-7E8A226B5B3B} IRP_MJ_DEVICE_CONTROL 89A97980
Device \Driver\NetBT \Device\NetBT_Tcpip_{A003B472-5594-42B6-BE01-7E8A226B5B3B} IRP_MJ_INTERNAL_DEVICE_CONTROL 89A97980
Device \Driver\NetBT \Device\NetBT_Tcpip_{A003B472-5594-42B6-BE01-7E8A226B5B3B} IRP_MJ_CLEANUP 89A97980
Device \Driver\NetBT \Device\NetBT_Tcpip_{A003B472-5594-42B6-BE01-7E8A226B5B3B} IRP_MJ_PNP 89A97980
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CREATE 89DA4980
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CLOSE 89DA4980
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 89DA4980
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DA4980
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_POWER 89DA4980
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 89DA4980
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_PNP 89DA4980
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_CREATE 89C411D8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_CLOSE 89C411D8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 89C411D8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 89C411D8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_POWER 89C411D8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 89C411D8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_PNP 89C411D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 89DDE1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_CREATE 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_CREATE_NAMED_PIPE 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_CLOSE 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_READ 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_WRITE 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_QUERY_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_SET_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_QUERY_EA 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_SET_EA 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_FLUSH_BUFFERS 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_QUERY_VOLUME_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_SET_VOLUME_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_DIRECTORY_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_FILE_SYSTEM_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_DEVICE_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_SHUTDOWN 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_LOCK_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_CLEANUP 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_CREATE_MAILSLOT 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_QUERY_SECURITY 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_SET_SECURITY 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_POWER 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_SYSTEM_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_DEVICE_CHANGE 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_QUERY_QUOTA 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_SET_QUOTA 89DDC1D8
Device \Driver\nvata \Device\00000064 IRP_MJ_PNP 89DDC1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 89DDE1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_CREATE 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_CREATE_NAMED_PIPE 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_CLOSE 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_READ 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_WRITE 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_QUERY_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_SET_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_QUERY_EA 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_SET_EA 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_FLUSH_BUFFERS 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_QUERY_VOLUME_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_SET_VOLUME_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_DIRECTORY_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_FILE_SYSTEM_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_DEVICE_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_SHUTDOWN 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_LOCK_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_CLEANUP 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_CREATE_MAILSLOT 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_QUERY_SECURITY 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_SET_SECURITY 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_POWER 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_SYSTEM_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_DEVICE_CHANGE 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_QUERY_QUOTA 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_SET_QUOTA 89DDC1D8
Device \Driver\nvata \Device\00000065 IRP_MJ_PNP 89DDC1D8
Device \Driver\usbstor \Device\00000072 IRP_MJ_CREATE 89A801D8
Device \Driver\usbstor \Device\00000072 IRP_MJ_CLOSE 89A801D8
Device \Driver\usbstor \Device\00000072 IRP_MJ_READ 89A801D8
Device \Driver\usbstor \Device\00000072 IRP_MJ_WRITE 89A801D8
Device \Driver\usbstor \Device\00000072 IRP_MJ_DEVICE_CONTROL 89A801D8
Device \Driver\usbstor \Device\00000072 IRP_MJ_INTERNAL_DEVICE_CONTROL 89A801D8
Device \Driver\usbstor \Device\00000072 IRP_MJ_POWER 89A801D8
Device \Driver\usbstor \Device\00000072 IRP_MJ_SYSTEM_CONTROL 89A801D8
Device \Driver\usbstor \Device\00000072 IRP_MJ_PNP 89A801D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 89D2D8D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 89D2D8D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 89D2D8D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 89D2D8D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 89D2D8D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 89D2D8D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 89D2D8D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 89D2D8D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 89D2D8D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 89D2D8D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 89D2D8D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_PNP 89DDE1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 89E4E1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 89E4E1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 89E4E1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 89E4E1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 89E4E1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 89E4E1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 89E4E1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 89E4E1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 89E4E1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 89E4E1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 89E4E1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 89E4E1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 89E4E1D8

 

and part 2

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSE 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLOSE 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CONTROL 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_POWER 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SYSTEM_CONTROL 89E4E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP 89E4E1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 89D2D8D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 89D2D8D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 89D2D8D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 89D2D8D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 89D2D8D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 89D2D8D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 89D2D8D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 89D2D8D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 89D2D8D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 89D2D8D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 89D2D8D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_READ 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_WRITE 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_FLUSH_BUFFERS 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SHUTDOWN 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CLEANUP 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_POWER 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SYSTEM_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_PNP 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_CREATE 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_READ 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_WRITE 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_FLUSH_BUFFERS 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_SHUTDOWN 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_CLEANUP 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_POWER 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_SYSTEM_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_PNP 89DDE1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_CREATE 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_CREATE_NAMED_PIPE 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_CLOSE 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_READ 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_WRITE 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_QUERY_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_SET_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_QUERY_EA 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_SET_EA 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_FLUSH_BUFFERS 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_QUERY_VOLUME_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_SET_VOLUME_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_DIRECTORY_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_FILE_SYSTEM_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_DEVICE_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_SHUTDOWN 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_LOCK_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_CLEANUP 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_CREATE_MAILSLOT 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_QUERY_SECURITY 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_SET_SECURITY 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_POWER 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_SYSTEM_CONTROL 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_DEVICE_CHANGE 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_QUERY_QUOTA 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_SET_QUOTA 89DDC1D8
Device \Driver\nvata \Device\00000068 IRP_MJ_PNP 89DDC1D8
Device \Driver\Ftdisk \Device\HarddiskVolume6 IRP_MJ_CREATE 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume6 IRP_MJ_READ 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume6 IRP_MJ_WRITE 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume6 IRP_MJ_FLUSH_BUFFERS 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume6 IRP_MJ_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume6 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume6 IRP_MJ_SHUTDOWN 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume6 IRP_MJ_CLEANUP 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume6 IRP_MJ_POWER 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume6 IRP_MJ_SYSTEM_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\HarddiskVolume6 IRP_MJ_PNP 89DDE1D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 89A97980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 89A97980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 89A97980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 89A97980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 89A97980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 89A97980
Device \Driver\usbstor \Device\00000077 IRP_MJ_CREATE 89A801D8
Device \Driver\usbstor \Device\00000077 IRP_MJ_CLOSE 89A801D8
Device \Driver\usbstor \Device\00000077 IRP_MJ_READ 89A801D8
Device \Driver\usbstor \Device\00000077 IRP_MJ_WRITE 89A801D8
Device \Driver\usbstor \Device\00000077 IRP_MJ_DEVICE_CONTROL 89A801D8
Device \Driver\usbstor \Device\00000077 IRP_MJ_INTERNAL_DEVICE_CONTROL 89A801D8
Device \Driver\usbstor \Device\00000077 IRP_MJ_POWER 89A801D8
Device \Driver\usbstor \Device\00000077 IRP_MJ_SYSTEM_CONTROL 89A801D8
Device \Driver\usbstor \Device\00000077 IRP_MJ_PNP 89A801D8
Device \Driver\sbp2port \Device\Sbp2Port0 IRP_MJ_CREATE 89E4B1D8
Device \Driver\sbp2port \Device\Sbp2Port0 IRP_MJ_CLOSE 89E4B1D8
Device \Driver\sbp2port \Device\Sbp2Port0 IRP_MJ_DEVICE_CONTROL 89E4B1D8
Device \Driver\sbp2port \Device\Sbp2Port0 IRP_MJ_INTERNAL_DEVICE_CONTROL 89E4B1D8
Device \Driver\sbp2port \Device\Sbp2Port0 IRP_MJ_POWER 89E4B1D8
Device \Driver\sbp2port \Device\Sbp2Port0 IRP_MJ_SYSTEM_CONTROL 89E4B1D8
Device \Driver\sbp2port \Device\Sbp2Port0 IRP_MJ_PNP 89E4B1D8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 89A97980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 89A97980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 89A97980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 89A97980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 89A97980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 89A97980
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CREATE 89DA4980
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CLOSE 89DA4980
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 89DA4980
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DA4980
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_POWER 89DA4980
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 89DA4980
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_PNP 89DA4980
Device \Driver\NetBT \Device\NetBT_Tcpip_{556D29C5-7782-4756-93FD-C6BAD6B9CAEE} IRP_MJ_CREATE 89A97980
Device \Driver\NetBT \Device\NetBT_Tcpip_{556D29C5-7782-4756-93FD-C6BAD6B9CAEE} IRP_MJ_CLOSE 89A97980
Device \Driver\NetBT \Device\NetBT_Tcpip_{556D29C5-7782-4756-93FD-C6BAD6B9CAEE} IRP_MJ_DEVICE_CONTROL 89A97980
Device \Driver\NetBT \Device\NetBT_Tcpip_{556D29C5-7782-4756-93FD-C6BAD6B9CAEE} IRP_MJ_INTERNAL_DEVICE_CONTROL 89A97980
Device \Driver\NetBT \Device\NetBT_Tcpip_{556D29C5-7782-4756-93FD-C6BAD6B9CAEE} IRP_MJ_CLEANUP 89A97980
Device \Driver\NetBT \Device\NetBT_Tcpip_{556D29C5-7782-4756-93FD-C6BAD6B9CAEE} IRP_MJ_PNP 89A97980
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CREATE 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CREATE_NAMED_PIPE 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CLOSE 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_READ 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_WRITE 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_EA 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_EA 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_FLUSH_BUFFERS 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_VOLUME_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_VOLUME_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_DIRECTORY_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_FILE_SYSTEM_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_DEVICE_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SHUTDOWN 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_LOCK_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CLEANUP 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CREATE_MAILSLOT 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_SECURITY 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_SECURITY 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_POWER 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SYSTEM_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_DEVICE_CHANGE 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_QUOTA 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_QUOTA 89DDC1D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_PNP 89DDC1D8
Device \Driver\sbp2port \Device\Sbp2\Maxtor&OneTouch II&0&0010b921_00521705_Instance00 IRP_MJ_CREATE 89E4B1D8
Device \Driver\sbp2port \Device\Sbp2\Maxtor&OneTouch II&0&0010b921_00521705_Instance00 IRP_MJ_CLOSE 89E4B1D8
Device \Driver\sbp2port \Device\Sbp2\Maxtor&OneTouch II&0&0010b921_00521705_Instance00 IRP_MJ_DEVICE_CONTROL 89E4B1D8
Device \Driver\sbp2port \Device\Sbp2\Maxtor&OneTouch II&0&0010b921_00521705_Instance00 IRP_MJ_INTERNAL_DEVICE_CONTROL 89E4B1D8
Device \Driver\sbp2port \Device\Sbp2\Maxtor&OneTouch II&0&0010b921_00521705_Instance00 IRP_MJ_POWER 89E4B1D8
Device \Driver\sbp2port \Device\Sbp2\Maxtor&OneTouch II&0&0010b921_00521705_Instance00 IRP_MJ_SYSTEM_CONTROL 89E4B1D8
Device \Driver\sbp2port \Device\Sbp2\Maxtor&OneTouch II&0&0010b921_00521705_Instance00 IRP_MJ_PNP 89E4B1D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_CREATE 89C411D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_CLOSE 89C411D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 89C411D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 89C411D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_POWER 89C411D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 89C411D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_PNP 89C411D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CREATE 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CREATE_NAMED_PIPE 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CLOSE 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_READ 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_WRITE 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_EA 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_EA 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_FLUSH_BUFFERS 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_VOLUME_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_VOLUME_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_DIRECTORY_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_FILE_SYSTEM_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_DEVICE_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SHUTDOWN 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_LOCK_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CLEANUP 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CREATE_MAILSLOT 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_SECURITY 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_SECURITY 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_POWER 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SYSTEM_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_DEVICE_CHANGE 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_QUOTA 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_QUOTA 89DDC1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_PNP 89DDC1D8

 

and finally, part 3

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 89AA67E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CREATE 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CREATE_NAMED_PIPE 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CLOSE 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_READ 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_WRITE 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_EA 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_EA 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_FLUSH_BUFFERS 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_VOLUME_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_VOLUME_INFORMATION 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_DIRECTORY_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_FILE_SYSTEM_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_DEVICE_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_INTERNAL_DEVICE_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SHUTDOWN 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_LOCK_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CLEANUP 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CREATE_MAILSLOT 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_SECURITY 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_SECURITY 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_POWER 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SYSTEM_CONTROL 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_DEVICE_CHANGE 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_QUOTA 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_QUOTA 89DDC1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_PNP 89DDC1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 89AA67E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 89AA67E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 89DDE1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 89DDE1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 89DDE1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 89DDE1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 89DDE1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 89DDE1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 89DDE1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 89DDE1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 89DDE1D8
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1Port6Path0Target0Lun0 IRP_MJ_CREATE 89D5C768
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1Port6Path0Target0Lun0 IRP_MJ_CLOSE 89D5C768
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1Port6Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 89D5C768
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1Port6Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 89D5C768
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1Port6Path0Target0Lun0 IRP_MJ_POWER 89D5C768
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1Port6Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 89D5C768
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1Port6Path0Target0Lun0 IRP_MJ_PNP 89D5C768
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1 IRP_MJ_CREATE 89D5C768
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1 IRP_MJ_CLOSE 89D5C768
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1 IRP_MJ_DEVICE_CONTROL 89D5C768
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1 IRP_MJ_INTERNAL_DEVICE_CONTROL 89D5C768
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1 IRP_MJ_POWER 89D5C768
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1 IRP_MJ_SYSTEM_CONTROL 89D5C768
Device \Driver\amrdbgyv \Device\Scsi\amrdbgyv1 IRP_MJ_PNP 89D5C768
Device \Driver\JRAID \Device\Scsi\JRAID1 IRP_MJ_CREATE 89E4D1D8
Device \Driver\JRAID \Device\Scsi\JRAID1 IRP_MJ_CLOSE 89E4D1D8
Device \Driver\JRAID \Device\Scsi\JRAID1 IRP_MJ_DEVICE_CONTROL 89E4D1D8
Device \Driver\JRAID \Device\Scsi\JRAID1 IRP_MJ_INTERNAL_DEVICE_CONTROL 89E4D1D8
Device \Driver\JRAID \Device\Scsi\JRAID1 IRP_MJ_POWER 89E4D1D8
Device \Driver\JRAID \Device\Scsi\JRAID1 IRP_MJ_SYSTEM_CONTROL 89E4D1D8
Device \Driver\JRAID \Device\Scsi\JRAID1 IRP_MJ_PNP 89E4D1D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 88835980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 88835980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 88835980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 88835980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 88835980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 88835980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 88835980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 88835980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 88835980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 88835980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 88835980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 88835980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 88835980

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\John S. Medina\Favorites\BOINC Synergy.url:favicon
ADS C:\Documents and Settings\John S. Medina\Favorites\ClrMame Homepage.url:favicon
ADS C:\Documents and Settings\John S. Medina\Favorites\Combined BOINC Individual Member Rankings.url:favicon
ADS C:\Documents and Settings\John S. Medina\Favorites\Download BOINC client software.url:favicon
ADS C:\Documents and Settings\John S. Medina\Favorites\****theinter.net Index.url:favicon
ADS C:\Documents and Settings\John S. Medina\Favorites\GameCopyWorld.url:favicon
ADS C:\Documents and Settings\John S. Medina\Favorites\Geocaching - The Official Global GPS Cache Hunt Site.url:favicon
ADS C:\Documents and Settings\John S. Medina\Favorites\Google.url:favicon
ADS C:\Documents and Settings\John S. Medina\Favorites\MAME World Forums News Submission Board.url:favicon
ADS C:\Documents and Settings\John S. Medina\Favorites\mininova the ultimate bittorrent source!.url:favicon
ADS C:\Documents and Settings\John S. Medina\Favorites\Mr. Do!'s Arcade Page.url:favicon
ADS ...

---- EOF - GMER 1.0.12 ----